Spheralytical is committed to protecting your privacy and ensuring transparency in how we handle your data. This Cookie and Privacy Policy explains how we collect, use, and protect your personal information, including our use of cookies and website analytics tools.

0 Key facts at a glance

• Who we are: Spheralytical (Pty) Ltd, a South-African analytics and software company.

• Legal framework followed: POPIA (South Africa), GDPR (EEA + UK), PECR (UK), CAN-SPAM (US).

• Where your data live: Primary production servers are in South Africa (Johannesburg and Cape Town). Certain supporting SaaS tools—CRM, project management, email marketing and analytics—run in the European Union (Frankfurt, Dublin or Amsterdam data-centres) and are covered by Standard Contractual Clauses.

• Fastest way to reach us: Complete the Contact Us form available in the footer of every page.

• Your main rights: access, correction, deletion, restriction, objection, portability and the right to complain to the Information Regulator (South Africa) or another supervisory authority

A Privacy Policy

A1 Who we are and scope

Spheralytical (Pty) Ltd (“Spheralytical”, “we”, “us”) is the responsible party / data controller for any personal data collected through our websites, landing pages, chat widgets, emails or telephone calls that reference this Policy. When we process client data on a client’s behalf, we act as an operator / processor and follow the client’s written instructions.

A2 What personal information we collect

1. Information you provide directly

   • Name, surname, job title, company, email address, telephone number.

   • Content of messages sent through our Contact Us form, demo request forms, live-chat or email.

   • CVs or proposals you upload when applying for work or partnership.

2. Information collected automatically

   • IP address, broad geolocation (city or region), browser type and version, device operating system, screen resolution, referring URLs, time spent on pages and click-stream data.

3. Client content (for paying customers)

   • Contracts, reports, mine-site telemetry, engineering drawings, maintenance schedules, employee rosters or any other files we are asked to process.

We do not intentionally collect information about children under the age of 18.

A3 Why we process your information and the lawful bases

• Operating our websites and preventing abuse – legitimate interest.

• Responding to your enquiries or demo requests – consent or steps needed to enter into a contract.

• Delivering contracted services (including processing mining-related data) – contract performance.

• Sending service announcements, invoices and regulatory notices – legal obligation.

• Sending marketing emails and product updates to existing B2B contacts – legitimate interest with easy opt-out; new subscribers are added only with consent.

• Improving site usability and measuring campaign performance – consent (for non-essential cookies and analytics).

•  

A4 How we handle client data specifically

• Segregation: Each client’s data sit in a logically isolated tenant within our South-African cloud environment.

• Encryption: AES-256 at rest; TLS 1.3 in transit.

• Access controls: Role-based permissions and multi-factor authentication; quarterly access reviews; least-privilege principle.

• Retention: Project files are retained for five years, longer where mine-health-and-safety regulations require, then securely erased or anonymised, unless the client instructs us to delete sooner.

• Sub-processors: Only carefully vetted service providers hosted in the EU. Data Processing Agreements and modernised Standard Contractual Clauses govern all sub-processing. No subcontractor may view raw client data without express written approval from the client.

A5 How we share information

We never sell or rent personal information. We share it only:

• With authorised employees, contractors and professional advisers who need the data to do their jobs and are bound by confidentiality.

• With carefully selected service providers (hosting, CRM, email, analytics) that are contractually obliged to safeguard data and use it only on our instructions.

• With regulators, courts or law-enforcement agencies when the law obliges us, or when necessary to protect our rights or the safety of others.

If data leaves South Africa, they are protected by at least one of the following: EU adequacy decisions, Standard Contractual Clauses, the UK International Data Transfer Agreement, or Binding Corporate Rules.

A6 Your rights and how to exercise them

You may ask us to:

• confirm whether we hold personal data about you;

• provide a copy of that data in a commonly used format;

• correct or update inaccurate data;

• delete data that are no longer necessary (subject to statutory retention);

• restrict or object to certain processing activities;

• transfer your data to another controller;

• stop sending direct marketing.

Submit your request via the Contact Us form. We verify identity before actioning a request and aim to respond within one month (GDPR) or 30 days (POPIA).

B Cookie & Tracking Policy

B1 What cookies are

Cookies are small text files placed on your device to store information or recognise your browser. Two kinds are exempt from consent requirements: cookies used solely for transmitting communications and those strictly necessary for a service you explicitly request.

B2 Categories of cookies we use

• Essential cookies – session identifiers, load-balancing tokens, and CSRF protection.

• Performance cookies – diagnostics that help us understand site speed and error frequency.

• Analytics cookies – Google Analytics 4, LinkedIn Insight Tag and Meta Pixel; IP addresses are truncated inside the EU before further processing.

• Advertising cookies – retargeting tags that limit ad frequency and measure campaign effectiveness.

• Functionality cookies – remember your language, region or cookie-consent choice.

B3 How you can manage cookies

• Use the floating Cookie Settings panel on our site to accept, reject or fine-tune non-essential cookies.

• Alternatively, disable or delete cookies in your browser settings. Blocking essential cookies may break log-in sessions or form submissions.

C Data Protection & Security Policy

C1 Governance

• A board-approved information-security programme reviewed at least annually.

• A designated Data Protection Officer who delivers quarterly privacy and security reports to senior management.

C2 Technical and organisational measures

• Next-generation firewalls, web-application firewalls and 24 × 7 security operations centre monitoring.

• Security information and event management (SIEM).

• Daily encrypted backups are retained for 30 days.

• Disaster-recovery objectives: Recovery Time Objective under 24 hours.

C3 Incident-response procedure

1. Detect and triage within eight hours of an alert.

2. Contain, eradicate and recover using a defined playbook.

3. Notify affected clients and, where required, the Information Regulator within 72 hours (GDPR) or as soon as reasonably possible (POPIA).

C4 Training and awareness

Every employee and long-term contractor completes mandatory privacy and cyber-security training upon onboarding and annually thereafter. Role-specific training is provided to developers, administrators and customer-support staff.

C5 Supplier management

New suppliers undergo a due diligence questionnaire, sign Data Processing Agreements and are reassessed annually. We retain audit rights and may terminate agreements if suppliers fail to meet our security standards.